https://community.cisco.com/t5/network-security/deny-tcp-src-outside-error/m-p/3889513#M26918 <P>Hi Guy's!</P><P>I have an issue I need some help with. In the log files we keep getting <STRONG>Deny tcp src outside:&nbsp;</STRONG>&nbsp;when this happens we are unable to receive some emails.&nbsp; I have attached a screen shot.&nbsp; Any help would be appreciated!&nbsp;&nbsp;</P><P>&nbsp;</P><P>Thank you!</P><P>&nbsp;</P><PRE><SPAN class="pEM_ErrMsg">%ASA-4-106023: Deny protocol src [<EM>interface_name</EM>:<EM>source_address</EM>/<EM>source_port</EM>] [([<EM>idfw_user</EM>|<EM>FQDN_string</EM>], <EM>sg_info</EM>)] dst <EM>interface_name</EM>:<EM>dest_address</EM>/<EM>dest_port</EM> [([<EM>idfw_user</EM>|<EM>FQDN_string</EM>], <EM>sg_info</EM>)] [type {<EM>string</EM>}, code {<EM>code</EM>}] by <EM>access_group acl_ID</EM> [0x8ed66b60, 0xf8852875]</SPAN></PRE><P class="pEE_ErrExp">A real IP packet was denied by the ACL. This message appears even if you do not have the <STRONG>log</STRONG> option enabled for an ACL. The IP address is the real IP address instead of the values that display through NAT. Both user identity information and FQDN information is provided for the IP addresses if a matched one is found. The ASA logs either identity information (domain\user) or FQDN (if the username is not available). If the identity information or FQDN is available, the ASA logs this information for both the source and destination.</P> Fri, 12 Jul 2019 21:02:30 GMT achavez@indianpueblo.com 2019-07-12T21:02:30Z https://community.cisco.com/t5/network-security/deny-tcp-src-outside-error/m-p/3889513#M26918 <P>Hi Guy's!</P><P>I have an issue I need some help with. In the log files we keep getting <STRONG>Deny tcp src outside:&nbsp;</STRONG>&nbsp;when this happens we are unable to receive some emails.&nbsp; I have attached a screen shot.&nbsp; Any help would be appreciated!&nbsp;&nbsp;</P><P>&nbsp;</P><P>Thank you!</P><P>&nbsp;</P><PRE><SPAN class="pEM_ErrMsg">%ASA-4-106023: Deny protocol src [<EM>interface_name</EM>:<EM>source_address</EM>/<EM>source_port</EM>] [([<EM>idfw_user</EM>|<EM>FQDN_string</EM>], <EM>sg_info</EM>)] dst <EM>interface_name</EM>:<EM>dest_address</EM>/<EM>dest_port</EM> [([<EM>idfw_user</EM>|<EM>FQDN_string</EM>], <EM>sg_info</EM>)] [type {<EM>string</EM>}, code {<EM>code</EM>}] by <EM>access_group acl_ID</EM> [0x8ed66b60, 0xf8852875]</SPAN></PRE><P class="pEE_ErrExp">A real IP packet was denied by the ACL. This message appears even if you do not have the <STRONG>log</STRONG> option enabled for an ACL. The IP address is the real IP address instead of the values that display through NAT. Both user identity information and FQDN information is provided for the IP addresses if a matched one is found. The ASA logs either identity information (domain\user) or FQDN (if the username is not available). If the identity information or FQDN is available, the ASA logs this information for both the source and destination.</P> Fri, 12 Jul 2019 21:02:30 GMT https://community.cisco.com/t5/network-security/deny-tcp-src-outside-error/m-p/3889513#M26918 achavez@indianpueblo.com 2019-07-12T21:02:30Z https://community.cisco.com/t5/network-security/deny-tcp-src-outside-error/m-p/3889785#M26921 Hi<BR /><BR />Can you show your acl outside_in and if you're using objects please share them as well to be able to read it.<BR /><BR />Can you share also the nat config for this machine 10.10.0.6? Sun, 14 Jul 2019 02:47:17 GMT https://community.cisco.com/t5/network-security/deny-tcp-src-outside-error/m-p/3889785#M26921 Francesco Molino 2019-07-14T02:47:17Z